Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I use Fedora and I installed wine using yum. I remember reading somewhere that one should run wine as user "nobody" so that insecure programs (say, IE) don't open up one's Linux box for attacks.
How do I run wine securely so that even if I run an insecure program under wine, it won't be able to access any of my user files? I want to login as sarav and still be able to run wine and not let it access my files. How do I do this?
You could create a user locked in there home directory, and only give them permission to use WINE , effectivly stopping WINE from editing files the user doesnt own and stopping anyone else from using it
But how do I run win32 apps logged in as a different user? Also, how do I make sure that all files created by the user automatically have group write permissions?
Btw, I'm currently using wine under my user and wanted to prevent access to root dirs. So I removed the root dir using winecfg. But when I do "File->Open" in any win32 app, I still see the root dir under "My Desktop". How do I remove that?
Remember that Wine is a user-mode program; it runs as "you," in your own session. It does not have a separate daemon component .. no, "wineserver" is not a daemon.
If you want to ensure that an IE session, say, cannot do anything malicious, then the problem is exactly the same as how one would address the problem if neither IE nor Wine were involved. It would be the same as you would face if, say, you were guarding against a malicious Java applet running on your own favorite Linux browser.
You would do this by setting up a separate user account, connecting to it, and doing your work in that account. XWindows and XOrg can both allow you to start new graphical sessions on the same terminal, and you switch between them with a Shift+Ctrl+Fn sequence.
You can also use the command-line su username command, or even sudo, to execute a particular command as someone else. You might find that capability built-in to your favorite graphical shell, akin to Microsoft Windows' "run as user" facility.
A process that is launched as a particular user is strictly limited to the capabilities assigned to that user. If you wish to make your own files "strictly off limits" to some process that you ("the person") have initiated .. this is how to do it. It applies equally to Windows and Linux.
I actually don't think that by running IE under wine you will have any issies with security. In a sense it runs in its own sandbox, and if it were to get infected, which I doubt, all you would have to do is delete the .wine profile. Next time you start wine it would generate a new one.
sundialsvcs, I agree/knew that risks due to IE is similar to risk due to anyother untrusted linux app. But the problem is that more people try to attack IE rather than some random Linux app.
Also, I don't consider that IE is as secure and well written as other linux apps (might be wrong here).
So my question is still well placed, but so is your solution. Have to dig into sudoing as another user. I know only to sudo as root not as another user.
jlo_sandog, No. IE doesn't run in a sandbox. IE runs natively (hence Wine Is Not an Emulator). So once a buffer flow in IE is used to inject code, all a blackhat needs to do it inject linux specific code instead of windows specific code and your linux user account goes boom.
That's not what you claimed in your previous post. According to your previous post (quote: "and if it were to get infected, which I doubt, all you would have to do is delete the .wine profile"), IE infection can never affect any linux user files that are not made available through drive mapping in winecfg.
Also, just because we don't expect someone to attack Linux through IE+Wine doesn't mean the problem doesn't exist.
Anyway, lets not deviate from the main topic of this thread. Btw, I think sundialsvcs answered my question.